Error=password_rejected, reason='Could not modify attribute for DN

description:
when I modifed ​password,
error message:
WARN [org.keycloak.events] (default task-44) type=UPDATE_PASSWORD_ERROR, realmId=master, clientId=security-admin-console, userId=ce4b5650-90b3-4946-be86-67ee4b17bfc9, ipAddress=XX.XX.XX.XX, error=password_rejected, reason=‘Could not modify attribute for DN [CN=XXX,OU=XXX,OU=People,OU=Users,OU=XXX,DC=XXX,DC=com]’, auth_method=openid-connect, custom_required_action=UPDATE_PASSWORD, response_type=code

Hi @RalapZ

I have the same problem. Did you solve this in the meantime?

My Keycloak has a working LDAPS connection to my DC but still I can’t change passwords:

Could not modify attribute for DN [CN=TEST TESTER,OU=Benutzer,DC=domain,DC=local]

Finally found my fault.

The Bind DN user used for changing passwords didn’t have enough rights for changing the passwords… :roll_eyes:

Hey can you provide more details as what permission this the Bind DN user needed?

Hi @jsalameh

please have a look here: https://petri.com/delegate-permission-reset-ad-user-account-passwords

This is for Active Directory, but any other LDAP should be similar.

You have to grant special rights to the user.